Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Coverton Ransomware Infection Support and Help Topic - !!!-WARNING-!!!.html


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:33 AM

Posted 23 March 2016 - 09:12 PM

This is the support topic for the Coverton Ransomware infection. This ransomware is currently being analyzed and thus there is not much information on it as of yet.

What is known is that it is calling itself Coverton and when someone is infected it will append the .coverton extension to encrypted files. It targets the following extensions:
 
1cd dbf dt cf cfu mxl epf kdbx erf vrp grs geo st pff mft efd 3dm 3ds rib ma sldasm sldprt max blend lwo lws m3d mb obj x x3d c4d fbx dgn dwg 4db 4dl 4mp abs accdb accdc accde accdr accdt accdw accft adn a3d adp aft ahd alf ask awdb azz bdb bib bnd bok btr bak backup cdb ckp clkw cma crd daconnections dacpac dad dadiagrams daf daschema db db2 db3 dbc dbk dbs dbt dbv dbx dcb dct dcx ddl df1 dmo dnc dp1 dqy dsk dsn dta dtsx dxl eco ecx edb emd eql fcd fdb fic fid fil fm5 fmp fmp12 fmpsl fol fp3 fp4 fp5 fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdb mdbhtml mdf mdn mdt mrg mud mwb s3m myd ndf ns2 ns3 ns4 nsf nv2 nyf oce odb oqy ora orx owc owg oyx p96 p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq sqb stp sql sqlite sqlite3 sqlitedb str tcx tdt te teacher tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb zdc cdr cdr3 ppt pptx 1st abw act aim ans apt asc ascii ase aty awp awt aww bad bbs bdp bdr bean bna boc btd bzabw chart chord cnm crwl cyi dca dgs diz dne doc docm docx docxml docz dot dotm dotx dsv dvi dx eio eit email emlx epp err etf etx euc fadein faq fb2 fbl fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt fountain gtp frt fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hwp hz idx iil ipf jarvis jis joe jp1 jrtf kes klg knt kon kwd latex lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lxfml lyt lyx man map mbox md5txt me mell min mnt msg mwp nfo njx notes now nwctxt nzb ocr odm odo odt ofl oft openbsd ort ott p7s pages pfs pfx pjt plantuml prt psw pu pvj pvm pwi pwr qdl readme rft ris rng rpt rst rt rtd rtf rtx run rzk rzn saf safetext sam scc scm scriv scrivx sct scw sdm sdoc sdw sgm sig skcard sla slagz sls smf sms ssa strings stw sty sub sxg sxw tab tdf tex text thp tlb tm tmv tmx tpc trelby tvj txt u3d u3i unauth unx uof uot upd utf8 unity utxt vct vnt vw wbk wcf webdoc wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wpl wps wpt wpw wri wsc wsd wsh wtx xbdoc xbplate xdl xlf xps xwp xy3 xyp xyw ybk yml zabw zw 2bp 3fr 73i 8xi 9png abm afx agif agp aic albm apd apm apng aps apx art artwork arw asw avatar bay blkrt bm2 bmp bmx bmz brk brn brt bss bti c4 cal cals can cd5 cdc cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib dicom djv djvu dm3 dmi vue dpx wire drz dt2 dtw dvl ecw eip exr fal fax fpos fpx g3 gcdp gfb gfie ggr gif gih gim gmbck gmspr spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info int ipx itc2 iwi j j2c j2k jas jb2 jbig jbig2 jbmp jbr jfif jia jng jp2 jpe jpeg jpg jpg2 jps jpx jtf jwl jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs myl ncr nct nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 ai asy cdmm cdmt cdmtz cdmz cdt cgm cmx cnv csy cv5 cvg cvi cvs cvx cwt cxf dcs ded design dhs dpp drw dxb dxf egc emf ep eps epsf fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg gdraw gem glox hpg hpgl hpl idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx mmat mat otg ovp ovr pcs pfd pfv pl plt pm vrml pmg pobj ps psid rdl scv sk1 sk2 slddrt snagitstamps snagstyles ssk stn svf svg svgz sxd tlc tne ufr vbr vec vml vsd vsdm vsdx vstm stm vstx wmf wpg vsm vault xar xmind xmmap yal orf ota oti ozb ozj ozt pal pano pap pbm pc1 pc2 pc3 pcd pcx pdd pdn pe4 pef pfi pgf pgm pi1 pi2 pi3 pic pict pix pjpeg pjpg png pni pnm pntg pop pp4 pp5 ppm prw psd psdx pse psp pspbrush ptg ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli rpf rri rs rsb rsr rw2 rwl s2mv sai sci sep sfc sfera sfw skm sld sob spa spe sph spj spp sr2 srw ste sumo sva save ssfn t2b tb0 tbn tfc tg4 thm thumb tif tiff tjp tm2 tn tpi ufo uga vda vff vpe vst wb1 wbc wbd wbm wbmp wbz wdp webp wpb wpe wvl x3f y ysp zif cdr4 cdr6 cdrw pdf ddoc css pptm raw cpt tga xpm ani flc fb3 fli mng smil mobi swf html xls xlsx csv xlsm ods xhtml maf asp aspx php mhtml wlmp 7z 7z001 7z002 a00 a01 a02 ace agg ain alz apz ar arc arh ari arj ark axx b1 b64 ba bh bhx bndl boo bz bz2 bza bzip bzip2 c00 c01 c02 c10 car cb7 cba cbr cbz cdz cp9 czip dd deb dgc dist dz ecs efw epi f fdp fp8 gca gmz gz gz2 gza gzi gzip ha hbc hbc2 hbe hki hki1 hki2 
The HTML ransom note is:
 

html-ransom-note.png


The payment site is called Coverton Decryptor and looks like:
 

coverton-decryptor.jpg



BC AdBot (Login to Remove)

 


m

#2 TheBulgarian

TheBulgarian

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 24 March 2016 - 04:57 PM

Hello!

My computer recently got infected by Coverton ...

Did any 1 payed the ransom?

Are they explaining how to decrypt the hard drive after you pay?

I don't see how i can receive the keys and instructions how to fix the problem :/

 



#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:33 AM

Posted 25 March 2016 - 08:12 AM

Yes, it appears from other's experiences that they are providing the decryptor after payment. If you can, though, do everything you can to restore from other means before paying them.

#4 Noteworthy

Noteworthy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 26 March 2016 - 08:15 AM

Any hash so far ?



#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:33 AM

Posted 26 March 2016 - 08:33 AM

.COVERTON Extension 33eb1feccc8f49a81a8acd323a32eec3f1a5e2ac
.ENIGMA extension 1d1280041ed38b80fb14a39a0c738bb9071c819ec6cab0dc5fde39ad03814fa4

#6 TheBulgarian

TheBulgarian

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 26 March 2016 - 11:58 AM

We payed, they gave us decryptor and the key, but unfortunately the 2/3 of our  data is corrupted.  



#7 TechGuru11

TechGuru11

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 AM

Posted 26 March 2016 - 02:06 PM

Same issue here. Paid and much of the data is corrupted. The decryptor seems to be junk they send. If anyone wants to take a stab at this, I've provided the link below with the decryptor they sent us. I don't know if the corrupted files can be salvaged or not :(

 

https://www.sendspace.com/file/u9fzzs



#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:33 AM

Posted 26 March 2016 - 04:02 PM

Which variant of coverton were you affected by? Enigma, Coverton, or the random looking one. When I say variant, I mean the extension added to encrypted files.

#9 TechGuru11

TechGuru11

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:33 AM

Posted 26 March 2016 - 04:07 PM

Coverton - I've also attached a file below:

 

https://www.sendspace.com/file/mno0nz



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:33 AM

Posted 26 March 2016 - 04:24 PM

K thanks.

#11 TheBulgarian

TheBulgarian

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 26 March 2016 - 05:07 PM

.Coverton for us too...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users